Edit tour

Windows Analysis Report
tiago.exe

Overview

General Information

Sample name:	tiago.exe
Analysis ID:	1390958
MD5:	41b99b0770f01afbd80481fb6f811bcc
SHA1:	58ee2fb1672b3af2db7997bb91cf3ab138d801e1
SHA256:	d457b15dfcdd6669d60af6d96f56757674b6f0fbba11999f76f47e03bd635d09
Tags:	exe
Infos:

Detection

Reverse SSH

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Outlook Reverse SSH

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Classification

Process Tree

System is w10x64

tiago.exe (PID: 6804 cmdline: C:\Users\user\Desktop\tiago.exe MD5: 41B99B0770F01AFBD80481FB6F811BCC)

conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
tiago.exe	JoeSecurity_ReverseSSH	Yara detected Outlook Reverse SSH	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1237510418.0000000000D7A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReverseSSH	Yara detected Outlook Reverse SSH	Joe Security
00000000.00000002.2489434623.0000000000D7A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReverseSSH	Yara detected Outlook Reverse SSH	Joe Security
Process Memory Space: tiago.exe PID: 6804	JoeSecurity_ReverseSSH	Yara detected Outlook Reverse SSH	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.tiago.exe.560000.0.unpack	JoeSecurity_ReverseSSH	Yara detected Outlook Reverse SSH	Joe Security
0.2.tiago.exe.560000.0.unpack	JoeSecurity_ReverseSSH	Yara detected Outlook Reverse SSH	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tiago.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: tiago.exe

ReversingLabs: Detection: 23%

Source: tiago.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: tiago.exe
Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: tiago.exe

Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.129

Source: C:\Users\user\Desktop\tiago.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Section loaded: mswsock.dll	Jump to behavior

Source: classification engine

Classification label: mal64.troj.winEXE@2/1@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_03

Source: C:\Users\user\Desktop\tiago.exe

File opened: C:\Windows\system32\92ce28ff278bbce557f6d63a6e428624a84c1480dafc1d81a65ca01fa2e182b5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: tiago.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tiago.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tiago.exe

ReversingLabs: Detection: 23%

Source: tiago.exe	String found in binary or memory: text= via %s zombie% CPU (, goid=, j0 = -NoLogo19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625: type ::ffff::method:scheme:statusACK badAddressAvestanBengaliBrailleCLOSINGCONNECTChanDirCopySidCreatedCypriotDeseretDstMaskEd25519ElbasanElymaicEnabledExpiresFATAL: ForkingFreeSidGODEBUGGranthaHEADERSHanunooHighRxtIM UsedINITIALIO waitJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMaxCwndMaxSizeMultaniMyanmarNextHopNoRouteOctoberOsmanyaPATHEXTPayloadPktTypeRadicalRefererSHA-224SHA-256SHA-384SHA-512SegTimeSharadaShavianSiddhamSinhalaSleepExSndCwndSockErrSogdianSoyomboSrcMaskSubjectSwapperTagalogTibetanTimeoutTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUNKNOWNUnknownUpgradeWARNINGWSARecvWSASendWarning\\.\UNCtypes value=abortedanswersarcfouravx512fbucketscharsetchtimeschunkedcmd.execommandconnectconsolecpuprofderiveddstAddrexpiresfailurefloat32float64forcegcgctracehandlerhead = headershttp://installinvalidipv4TOSipv4TTLlookup minpc= nil keyoptionsosxsavepacer: panic: rcvListreaddirrefererrefreshregularrssh://runningsendTOSserial:servicesessionsignal srcAddrssh-dssssh-rsasshtypesymlinksyscalltrailertupleIDuintptrunackedunknownupgradeusage: userMSSwaitingwindowswriteatwsarecvwsasendx64/xp/ bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= ping=%q pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.173des-cbc48828125AcceptExAcceptedArmenianAssignedBAD RANKBalineseBindAddrBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCtrl + CCtrl + DCurveID(CyrillicDNS nameDSA-SHA1DecemberDenyTypeDisabledDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaHopLimitHost: %sIsWindowJavaneseKatakanaKayah_LiL3HdrLenLAST-ACKLinear_ALinear_BLinkAddrLocationMD5+SHA1MahajaniMatchersNO_ERRORNO_PROXYNetProtoNovemberOffenderOl_ChikiOrigin: PRIORITYParseIntPhags_PaProtocolQuestionRTTStateReadFileReceivedReceiverRecentTSSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SYN-RCVDSYN-SENTSaturdaySendTSOkSetEventSsthreshTSOffsetTagbanwaTai_ThamTai_VietThursdayTifinaghTimeoutsTypeAAAATypeAXFRUgariticWLastMaxWSAIoctlXmitTime[::1]:53[:word:][signal stack=[_gatewayacceptexaddress argumentavx512bwavx512cdavx512dqavx512eravx512pfavx512vlboundNICcapacitycgocheckconsumedcontinuecs deadlockdnatDoneerrQueueexecwaitexporterfile+netfinishedfs gs hijackedhost keyhttp/1.1if-matchif-rangeintervalinvalid ip4:icmplastUsedlistenEPlocationloopbackmodifiednetProtonistp256nistp384nistp521no anodeno-cacheno_proxyoriginalpasswordphoturispollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcvQueuercvReadyrcvdTimercvlowatrcx rdi readfromreadlinkrecvfromredirectrefCountreservedrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdownsnatDonestrconv.traceBuftrigger=truncateuniqueIDunixgramunknown(v4Tablesv6TableswasBoundwsaioctlx509sha1xmitTime (forced) -> node= B exp.)
Source: tiago.exe	String found in binary or memory: %s\.+*?()\|[]{}^$accept-charsetallocfreetracebad allocCountbad record MACbad restart PCbad span stateboundPortFlagschannelDataMsgchannelOpenMsgconnect failedcontent-lengthdata truncatedexitedRecoveryfile too largefinalizeResultfinalizer waitgcstoptheworldgetprotobynamehasNewSACKInfointernal errorinvalid optioninvalid syntaxis a directorylevel 2 haltedlevel 3 haltedmulticastNICIDmultipartfilesneed more datanil elem type!no module datano such devicepacket too bigport is in usepowershell.exeprotocol errorrawPacketEntryread_frame_eofruntime: full=runtime: want=s.allocCount= semaRoot queuesendBufferSizesequenceNumbersockErrorEntrysource-addressssh-connectionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersudpPacketEntryunexpected EOFunknown code: unknown deviceunknown error unknown methodunknown mode: unknown nic idunreachable: unsafe.PointeruserArenaStatewinapi error #work.full != 0zero parameter with GC prog
Source: tiago.exe	String found in binary or memory: span set block with unpopped elements found in resetssh: error parsing source-address restriction %q: %vssh: peer's curve25519 public value has wrong lengthssh: unexpected message type %d (expected one of %v)tls: received a session ticket with invalid lifetimetls: server selected unsupported protocol version %xunrecognized result from DeliverTransportPacket = %dwebsocket: cannot set deadline: not using a net.Connx509: cannot verify signature: insecure algorithm %vUnderflows should only return RuleAccept or RuleDrop.--nameName of service to act on, defaults to 'rssh'cannot create a route with NICs from different stackschacha20: internal error: wrong dst and/or src lengthcompileCallback: argument size is larger than uintptrcrypto/ecdh: internal error: mismatched isLess inputscrypto/elliptic: attempted operation on invalid pointhttp2: Framer %p: failed to decode just-written framehttp2: Transport failed to get client conn for %s: %vhttp: putIdleConn: too many idle connections for hostillegal use of AllowIllegalReads with ReadMetaHeadersndpdad: already performing DAD for addr %s on NIC(%d)pem: cannot encode a header key that contains a colonreflect.Value.Slice: string slice index out of boundsssh: server-generated gex p is out of range (%d bits)tls: HKDF-Expand-Label invocation failed unexpectedlytls: received unexpected handshake message of type %Tunable to run with conpty, falling back to winpty: %vunexpected error when reading domain name's label: %sx509: certificate specifies an incompatible key usageSYSTEM\CurrentControlSet\Services\EventLog\ApplicationURI with IP (%q) cannot be matched against constraintsgoroutine running on other thread; stack unavailable
Source: tiago.exe	String found in binary or memory: Unexpected entry in leak checking map: reference %p already added--fingerprintServer public key SHA256 hex fingerprint for authconflicting primitiveTypeDatabase entry for %T: used by primitivecryptobyte: pending child length %d exceeds %d-byte length prefixfound unknown destination header option = %#v with discard actionndp: must have a tempAddr entry to deprecate temporary address %snet/http: Transport.DialTLS or DialTLSContext returned (nil, nil)nistec: internal error: p224Table called with out-of-bounds valuenistec: internal error: p384Table called with out-of-bounds valuenistec: internal error: p521Table called with out-of-bounds valuepkg/tcpip/network/ipv4.icmpv4DestinationProtoUnreachableSockErrorruntime.SetFinalizer: pointer not at beginning of allocated blocktls: server selected an invalid version after a HelloRetryRequestunexpected error when informing NIC of neighbor probe message: %suser arena chunk size is not a mutliple of the physical page sizex509: inner and outer signature algorithm identifiers don't matchx509: issuer name does not match subject from issuing certificateDHCPv6NoConfigurationDHCPv6ManagedAddressDHCPv6OtherConfigurationsUnable to unmarshal remote forward request in order to stop it: %scryptobyte: high-tag number identifier octects not supported: 0x%xndp: must have a tempAddr entry to clean up temp addr %s resourcesndp: must have a tempAddr entry to invalidate temporary address %stls: certificate private key (%T) does not implement crypto.Signerunable to query buffer size from InitializeProcThreadAttributeListunexpected error when reading the option's Length field for %s: %sunexpected error writing trailing period to domain name buffer: %svirtioNetHeaderlinkHeadernetworkHeadertransportHeadernumHeaderTypex509: certificate is not valid for any names, but wanted to match -d or --destinationServer connect back address (can be baked in)copied %d bytes in the replacement option buffer, expected %d bytesfailed to increment reference count for local address endpoint = %spkg/tcpip/network/internal/ip.ErrNoMulticastPendingQueueBufferSpacepkg/tcpip/network/ipv6.icmpv6DestinationAddressUnreachableSockErrorpkg/tcpip/network/ipv6.icmpv6DestinationNetworkUnreachableSockErrorssh: no address known for client, but source-address match requiredtls: server sent certificate containing RSA key larger than %d bits2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066298881crypto/hmac: hash generation function does not produce unique valuesgo package net: built with netgo build tag; using Go's DNS resolver
Source: tiago.exe	String found in binary or memory: net/addrselect.go
Source: tiago.exe	String found in binary or memory: golang.org/x/sys@v0.8.0/windows/svc/eventlog/install.go
Source: tiago.exe	String found in binary or memory: gvisor.dev/gvisor@v0.0.0-20230610041700-6b8dbbf6f6fb/pkg/state/addr_set.go
Source: tiago.exe	String found in binary or memory: gvisor.dev/gvisor@v0.0.0-20230610041700-6b8dbbf6f6fb/pkg/tcpip/stack/address_state_mutex.go
Source: tiago.exe	String found in binary or memory: gvisor.dev/gvisor@v0.0.0-20230610041700-6b8dbbf6f6fb/pkg/tcpip/stack/address_state_refs.go
Source: tiago.exe	String found in binary or memory: gvisor.dev/gvisor@v0.0.0-20230610041700-6b8dbbf6f6fb/pkg/tcpip/stack/addressable_endpoint_state.go
Source: tiago.exe	String found in binary or memory: gvisor.dev/gvisor@v0.0.0-20230610041700-6b8dbbf6f6fb/pkg/tcpip/stack/addressable_endpoint_state_mutex.go

Source: unknown	Process created: C:\Users\user\Desktop\tiago.exe C:\Users\user\Desktop\tiago.exe
Source: C:\Users\user\Desktop\tiago.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: tiago.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: tiago.exe

Static file information: File size 11424768 > 1048576

Source: tiago.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3cca00
Source: tiago.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x6c4800

Source: tiago.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: tiago.exe
Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: tiago.exe

Source: tiago.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\tiago.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\tiago.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\tiago.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: tiago.exe, 00000000.00000002.2495116429.0000022EC07DC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\tiago.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Stealing of Sensitive Information

Yara detected Outlook Reverse SSH

Source: Yara match	File source: tiago.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tiago.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tiago.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1237510418.0000000000D7A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2489434623.0000000000D7A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tiago.exe PID: 6804, type: MEMORYSTR

Remote Access Functionality

Yara detected Outlook Reverse SSH

Source: Yara match	File source: tiago.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tiago.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tiago.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1237510418.0000000000D7A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2489434623.0000000000D7A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tiago.exe PID: 6804, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tiago.exe	24%	ReversingLabs	Win64.Hacktool.RevhellMarte
tiago.exe	100%	Avira	TR/Redcap.leocq

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.190.152.129	unknown	Russian Federation		41615	RSHB-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1390958
Start date and time:	2024-02-12 17:32:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tiago.exe
Detection:	MAL
Classification:	mal64.troj.winEXE@2/1@0/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tiago.exe, PID 6804 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: tiago.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RSHB-ASRU	0EZ9Ho3Ruc.exe	Get hash	malicious	RedLine	Browse	194.190.152.148
	Paralysis Hack.exe	Get hash	malicious	zgRAT	Browse	194.190.153.137
	file.exe	Get hash	malicious	000Stealer	Browse	194.190.152.193
	EgNIXduB6T.exe	Get hash	malicious	Erbium Stealer	Browse	194.190.152.194
	2MNB4UhUqR.exe	Get hash	malicious	RedLine	Browse	194.190.152.20
	w9d568i4Ia.exe	Get hash	malicious	DCRat	Browse	194.190.152.128
	3pqdFTqin9.exe	Get hash	malicious	DCRat	Browse	194.190.152.128
	nJX6vEzSO5.exe	Get hash	malicious	RedLine	Browse	194.190.153.31
	X3JoqrBG6b.dll	Get hash	malicious	Amadey	Browse	194.190.152.209
	Hlf35fELn8.exe	Get hash	malicious	Amadey	Browse	194.190.152.209

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\tiago.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.150692148279526
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	tiago.exe
File size:	11'424'768 bytes
MD5:	41b99b0770f01afbd80481fb6f811bcc
SHA1:	58ee2fb1672b3af2db7997bb91cf3ab138d801e1
SHA256:	d457b15dfcdd6669d60af6d96f56757674b6f0fbba11999f76f47e03bd635d09
SHA512:	f9642a06e797992423b3d93785d175b081637b691c41d3f4a35dfd2860aa83cb967c4ceeace86a61e524f1ef674d1af1fab1de8e82ca45b11254cb666b78b08e
SSDEEP:	98304:BFS5S20uKttNYdJpKEiZGZBRA5RAWktxhI:B8qLSpXiI/C5CbhI
TLSH:	71B64A47F95045A8C0BAD134C6664262BB727C4A4B3077D72B50F7B82F73BE4AA7A350
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........R........".......<..........w........@...........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4677a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	f0ea7b7844bbc5bfa9bb32efdcea957c

Entrypoint Preview

Instruction
jmp 00007FFA80E63EA0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov ebp, ecx
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00AC2F3Bh]
dec eax
mov edx, dword ptr [edx]
dec eax
cmp edx, 00000000h
jne 00007FFA80E67B0Eh
dec eax
mov eax, 00000000h
jmp 00007FFA80E67BD3h
dec eax
mov edx, dword ptr [edx]
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb39000	0x490	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb3a000	0x143c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa93620	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3cc91b	0x3cca00	6f6399710d8e73bb4d97595fdbf2c895	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3ce000	0x6c4690	0x6c4800	63a7bf6fc3ecd59bb5a5e7001a3d6669	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa93000	0xa5c90	0x3f000	54561056e6fe60f41c2f702be9d3398d	False	0.41117931547619047	data	5.234257557198867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb39000	0x490	0x600	595e8ed1d9e0ecb6593a211ad55f6ce0	False	0.3372395833333333	data	3.6155714884176935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xb3a000	0x143c8	0x14400	76a4bf18422ef148f168c11482b6a453	False	0.22239101080246915	data	5.439601861168321	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xb4f000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2024 17:32:59.850532055 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.088032007 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.088325024 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.088802099 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.326031923 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.326086998 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.326548100 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.326765060 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.327115059 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.327133894 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.564398050 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.565198898 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.565217972 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.565233946 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.565314054 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.565882921 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.566060066 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:00.803311110 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.803352118 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:00.807303905 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:01.045042992 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:01.045305014 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:01.283900976 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:01.284311056 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:01.523307085 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:01.523700953 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:01.523780107 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:01.523948908 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:01.804080963 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:06.761651039 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:06.761912107 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:06.999236107 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:11.999667883 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:12.000025988 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:12.237319946 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:17.237936974 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:17.240813971 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:17.478126049 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:22.479029894 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:22.479430914 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:22.716727972 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:27.717403889 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:27.717801094 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:27.956814051 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:32.956219912 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:32.956302881 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:32.956500053 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:32.956706047 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:33.193846941 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:38.195077896 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:38.195425987 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:38.433078051 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:43.434425116 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:43.435403109 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:43.673126936 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:48.673547029 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:48.673903942 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:48.911345959 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:53.911984921 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:53.912009954 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:53.912098885 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:53.912359953 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:54.149949074 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:59.150465965 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:33:59.150665998 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:33:59.387840986 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:04.388051033 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:04.388103962 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:04.388485909 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:04.388730049 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:04.626533031 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:09.627732038 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:09.628041029 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:09.865379095 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:14.867907047 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:14.868135929 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:15.105669975 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:20.106281996 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:20.106539965 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:20.343950033 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:25.344005108 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:25.344063997 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:25.344367027 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:25.344609976 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:25.582134008 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:30.583266973 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:30.583574057 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:30.820888996 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:35.822144032 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:35.822630882 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:36.059968948 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:41.061084986 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:41.061403990 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:41.298902988 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:46.299810886 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:46.299895048 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:46.299981117 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:46.300414085 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:46.537925005 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:51.541538954 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:51.562390089 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:51.800179005 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:56.799938917 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:56.800009966 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:56.801222086 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:34:56.801460981 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:34:57.038727045 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:35:02.039608002 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:35:02.039925098 CET	49701	80	192.168.2.7	194.190.152.129
Feb 12, 2024 17:35:02.277180910 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:35:07.278373957 CET	80	49701	194.190.152.129	192.168.2.7
Feb 12, 2024 17:35:07.321909904 CET	49701	80	192.168.2.7	194.190.152.129

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	194.190.152.129	80	6804	C:\Users\user\Desktop\tiago.exe

Timestamp	Bytes transferred	Direction	Data
Feb 12, 2024 17:33:00.088802099 CET	26	OUT	Data Raw: 53 53 48 2d 76 32 2e 33 2e 31 2d 77 69 6e 64 6f 77 73 5f 61 6d 64 36 34 0d 0a Data Ascii: SSH-v2.3.1-windows_amd64
Feb 12, 2024 17:33:00.326086998 CET	21	IN	Data Raw: 53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 38 2e 30 0d 0a Data Ascii: SSH-2.0-OpenSSH_8.0
Feb 12, 2024 17:33:00.326548100 CET	608	IN	Data Raw: 00 00 02 5c 0d 14 1a fd a0 0b e2 c5 cf e7 e2 ec 3d cd 03 cd 89 99 00 00 00 a1 63 75 72 76 65 32 35 35 31 39 2d 73 68 61 32 35 36 2c 63 75 72 76 65 32 35 35 31 39 2d 73 68 61 32 35 36 40 6c 69 62 73 73 68 2e 6f 72 67 2c 65 63 64 68 2d 73 68 61 32 Data Ascii: \=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1ssh-ed25519laes128-gcm@openssh.com,aes256-gcm@ope
Feb 12, 2024 17:33:00.327115059 CET	1008	OUT	Data Raw: 00 00 03 ec 12 14 2f 2b 49 d8 79 ca e2 23 81 38 83 08 e1 82 55 9e 00 00 00 ac 63 75 72 76 65 32 35 35 31 39 2d 73 68 61 32 35 36 2c 63 75 72 76 65 32 35 35 31 39 2d 73 68 61 32 35 36 40 6c 69 62 73 73 68 2e 6f 72 67 2c 65 63 64 68 2d 73 68 61 32 Data Ascii: /+Iy#8Ucurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-crsa-sha2-512-cert-v01@openssh.com,rsa-sha
Feb 12, 2024 17:33:00.327133894 CET	48	OUT	Data Raw: 00 00 00 2c 06 1e 00 00 00 20 a6 c5 22 7d 99 91 ad 9e bd 0b c1 e7 ca 3b 64 5a d9 65 2c 66 6d be 7a 19 10 9d f6 4e 03 0b 03 07 3d 78 d4 fb 23 47 Data Ascii: , "};dZe,fmzN=x#G
Feb 12, 2024 17:33:00.565198898 CET	192	IN	Data Raw: 00 00 00 bc 08 1f 00 00 00 33 00 00 00 0b 73 73 68 2d 65 64 32 35 35 31 39 00 00 00 20 d3 a5 7f f2 29 d7 53 21 71 56 81 ee c6 56 6c 11 6b f7 fd 68 7b b1 48 cc d6 f0 b1 d8 98 44 10 21 00 00 00 20 b2 8b 02 ee 6a 44 ea 59 ef 84 76 a7 2d d2 3a 1a 91 Data Ascii: 3ssh-ed25519 )S!qVVlkh{HD! jDYv-:q^zdPSssh-ed25519@9JqbZBTL6E>&&>\|H*fPMRP)1qX&N
Feb 12, 2024 17:33:00.565217972 CET	16	IN	Data Raw: 00 00 00 0c 0a 15 cb 6c 78 ea 3e cc ae 9b f3 d6 Data Ascii: lx>
Feb 12, 2024 17:33:00.565233946 CET	228	IN	Data Raw: 00 00 00 d0 f8 3f 92 ba a3 91 7e 45 12 98 3d 18 8c 1f b8 10 01 67 b4 74 83 fe be 8a 33 d6 5c f8 4d c2 d7 a1 19 0c d1 69 7a 35 6a 02 23 ba ad 0a c8 38 5a 41 f4 b7 02 41 c1 de 12 d2 e3 80 47 9d 83 a8 d4 4f 7d a8 ff d2 f4 5f e3 c9 ed b6 c5 69 ad 08 Data Ascii: ?~E=gt3\Miz5j#8ZAAGO}_ih/@lrPq3:] Xmd_Y=VD_q<\FS5ZqMZa^G`Ayp~x7WoDQ=%=V1?Nb&k A&-R
Feb 12, 2024 17:33:00.565882921 CET	16	OUT	Data Raw: 00 00 00 0c 0a 15 3e 58 a0 07 8b 7c ea 25 25 9a Data Ascii: >X\|%%
Feb 12, 2024 17:33:00.566060066 CET	52	OUT	Data Raw: 00 00 00 20 3c 3b 69 72 20 73 2f 58 e9 6e 20 eb 52 9d 38 2a 52 dd e4 3e 85 10 74 f9 f0 bc f4 63 8a d5 33 e3 70 2f d2 23 4a 73 3b 03 eb 6f bf 1f c7 59 16 bd Data Ascii: <;ir s/Xn R8*R>tc3p/#Js;oY

Target ID:	0
Start time:	17:32:58
Start date:	12/02/2024
Path:	C:\Users\user\Desktop\tiago.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\tiago.exe
Imagebase:	0x560000
File size:	11'424'768 bytes
MD5 hash:	41B99B0770F01AFBD80481FB6F811BCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_ReverseSSH, Description: Yara detected Outlook Reverse SSH, Source: 00000000.00000000.1237510418.0000000000D7A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReverseSSH, Description: Yara detected Outlook Reverse SSH, Source: 00000000.00000002.2489434623.0000000000D7A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	17:32:58
Start date:	12/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tiago.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: tiago.exePID: 6804, Parent PID: 4056

General

Windows Analysis Report
tiago.exe